IntelOwl
IntelOwl copied to clipboard
intelowlproject
[Analyzer] Feodo Tracker + allow to disable the analyzer/updates
We need to find a way (very similar to how TorProject analyzer is handled), to periodically download the dataset from the Feodo tracker and keep them inside IntelOwl to allow users to perform lookups inside it.
They provide 3 different datasets so we could choose to download all of them and show the results differently based on which list we found the looked-up IP address in.
Plus, considering that the download of this data is something heavy in terms of traffic generated, we should provide a variable (that can be changed) where the users can decide whether to enable it or not. In this way, users who are not interested in the service can disable the recurrent updates. As a result of this, we should show to the GUI the analyzer as "not configured" like the analyzers which don't have the API key set. Then, the same behavior should be replicated to the other analyzers working like that (Tor, Maxmind, Yara_Scan_*, Talos).
They provide 3 different datasets so we could choose to download all of them and show the results differently based on which list we found the looked-up IP address in.
I think it is enough to download this one: https://feodotracker.abuse.ch/downloads/ipblocklist.json
Plus, considering that the download of this data is something heavy in terms of traffic generated, we should provide a variable (that can be changed) where the users can decide whether to enable it or not. In this way, users who are not interested in the service can disable the recurrent updates. As a result of this, we should show to the GUI the analyzer as "not configured" like the analyzers which don't have the API key set
To do that, I think it would be enough to set this analyzer as disabled by default. In this way, the update method that retrieves the data from the external source won't work.
Anyway, if we update this information just once in a day, it won't be a problem to keep it enabled by default.
